Security News > 2022 > September > Stealthy hackers target military and weapons contractors in recent attack

Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.

The campaign stands out for its secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stagers.

The phishing email targeting employees includes a ZIP attachment that contains a shortcut file, which, upon execution, connects to the C2 and launches a chain of PowerShell scripts that infect the system with malware.

The obfuscation techniques seen by Securonix analysts are reordering/symbol obfuscation, IEX obfuscation, byte value obfuscation, raw compression, reordering, string replacement, and backtick obfuscation.

If all checks pass, the script proceeds by disabling the PowerShell Script Block Logging and adds Windows Defender exclusions for ".

After the PowerShell stager completes the process, an AES-encrypted final payload is downloaded from the C2. "While we were able to download and analyze the header.png file, we were not able to decode it as we believe the campaign was completed and our theory is that the file was replaced in order to prevent further analysis," explains the researchers.

News URL

https://www.bleepingcomputer.com/news/security/stealthy-hackers-target-military-and-weapons-contractors-in-recent-attack/